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Claims: 

1 . A method for computer workstation based information protection, the method 
comprising: 

a) monitoring user's actions on said computer workstation, 

b) analysis of said actions in respect to a pre-defined policy to determine whether 
said actions prejudice information to which said policy applies, and 

c) executing said policy in accordance with the results of said analysis to prevent 
or modify or restrict or monitor or log said actions. 

2. A method according to claim 1, wherein said policy comprises restrictions on at 
least one of the following actions: print, save, copy, autosave, fax. 

3. A method according to claim 1, wherein said monitoring said user's actions on 
said workstation comprises detection of indications of attempts at tampering. 

4. A method according to claim 3, wherein said detection of indications of attempts 
at tampering comprises obtaining logical indications or statistical indications. 

5. A method according to claim 3, wherein said detection of indications of attempts 
of tampering comprises detection of at least one un-certified add-in. 

6. A method according to claim 5, wherein said detection includes noting that said 
un-certified add-in is hooked to events of a local operating system. 

7. A method according to claim 3; wherein said detection of indications of attempts 
at tampering comprises detection of at least one debugging technique. 

8. A method according to claim 7, wherein said debugging technique comprises use 
of any of: 

a debugger, 

a virtual machine, 
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a software emulator, 

a software trap, and 

a remote administration tool. 

9. A method according to claim 3, wherein said policy comprises restrictions of 
actions made available to said user upon said detection of indications of attempts of 
tampering. 

10. A method according to claim 9, wherein said restrictions of user's actions upon 
said detection of indications of attempts of tampering comprise applying restrictions on 
actions within a software application operable to process said information. 

11. A method according to claim 3, wherein said execution of said policy comprises 
performing at least one action upon detection of indications of attempts of tampering. 

1 2. A method according to claim 1 1 , wherein, said actions comprise at least one of 
the following: encrypting at least one buffer, and encrypting at least one shared memory. 

13. A method according to claim 1 1, wherein said actions comprise preventing the 
decryption of encrypted digital content. 

14. A method according to claim 1 , wherein said pre-defined policy is defined with 
respect to a software application on said user's workstation. 

15. A method according to claim 1, wherein said policy comprises reporting about 
attempts to perform actions that do not comply with an organizational policy or about 
attempts to perform actions that are suspected to not comply with the organizational 
policy. 
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16. A method according to claim 1, wherein said policy comprises performing 
logging of attempts to perform actions that that do not comply or are suspected to not 
comply with the organizational policy. 

1 7. A method according to claim 1, wherein said information protection comprises 
protecting information held within a software data processing application able to process 
said information. 

18. A method according to claim 17, wherein said software data processing 
application operates in conjunction with a software client. 

19. A method according to claim 17*, wherein said software client is a 
tamper-resistant software client. 

20. A method according to claim 1 7, wherein said software client is operable to 
monitor said user's actions and to execute said policy. 

21- A method according to claim 17, wherein said software client is operable to 
detect information based on statistical identifiers residing in a specialized database. 

22. A method according to claim 1 7, wherein said software client is further operable 
to detect events of said software application. 

23. A method according to claim 22, wherein said events comprise events required 
for any of: 

printing said information; 
copying said information; 
storing said information, and 
displaying said information. 
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24. A method according to claim 1 , wherein said policy further comprising managing 
usage rights, 

25. A method according to claim 24, wherein said usage rights are determined 
according to any of: 

the classification of the document; 
the classification level of the user, and 
the authentication level of the user. 

26. A method according to claim 24, wherein said usage rights comprise any of: 
viewing at least part of said information; 

modifying at least part of said information; 

sending at least part of said information to a recipient; 

storing at least part of said information; 

storing at least part of said infoimation by an application; 

storing at least part of said information by a file system; 

storing at least part of said information in a portable device; 

storing at least part of said information in a removable media; 

storing at least part of said information portable storage device that is connected 

to said workstation using a USB port; 

pasting at least part of said information into a document; 

printing at least part of said information; 

printing at least part of said information to file; 

printing at least part of said information to a fax, and 

printing a screen view document 

27. A method according to claim 24 wherein said policy further comprises 
definitions of actions to be performed. 

28. A method according to claim 27, wherein said actions comprise any of: 
enabling usage of at least part of said information; 
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disabling usage of at least part of said information;' 

restricting the usage of at least part of said information, according to a 

pre-determined set of restrictions; 

reporting about the usage of at least part of said information, and 

monitoring the usage of at least part of said information. 
29. A method according to claim 28, wherein said restriction of usage imposes 
requiring encryption of at least part of said protected information. 

30* A method according to claim 29, wherein said required encryption is such that 
corresponding encrypted information can be decrypted only by a secure client. 

31. A method according to claim 28, wherein said restriction of usage requires said 
protected information to reside on a secure server. 

32. A method according to claim 3 1 , comprising arranging a connection between 
said secure server and said workstation such that the transport between said secure server 
and said workstation is protected. » 

33. A method according to claim 32, wherein said protected transport comprises an 
encrypted transport. 

34. A method according to claim 29, wherein said encryption of protected 
information further comprising encryption of a file comprising at least part of said 
protected information wherein said file is at least one of the following: 
temporary file and auto-recovery file. 

35. A method according to claim 31, wherein said protected information further 
comprises a file comprising at least part of said protected information, wherein said file 
comprises any of temporary file and auto-recover file. 
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36. A method according to claim 17, wherein said software client authenticates itself 
to a server before at least some of the sessions. 

37. A method according to claim 36, wherein said authentication depends on a 
classification level assigned to said protected information. 

38. A method according to claim 36, wherein said authentication comprises any of: 
password based authentication; and 

network address based authentication. 

39. A method according to claim 1 7, wherein said software client comprises 
components that can be automatically replaced. 

40. A method according to claim 3 1 , wherein said secure server employs 
cryptographic encryption of at least one file containing said protected information. 

41. A method according to claim 31, wherein communication with said server is 
substantially transparent to said user. 

42. A method according to claim 17, wherein in accordance with said policy said 
protected information is encrypted utilizing the encryption capabilities of said software 
application. 

43. A method according to claim 42, wherein said software application operable to 
process said information is any of: 

a word processing application; 
Microsoft "word"; 
Open office "word", and 
Star office "word". 
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44. A method according to claim 1 7, wherein said software application comprises a 
control flag imparting a status of either read only or lock to a corresponding file, and 
wherein file modification within said software application which is operable to process 
said information is disabled via said flag. 

45. A method accoiding to claim 44* wherein said disabling of said file modification 
is controlled by said policy. 

46. A method according to claim 1 , wherein said policy comprises adding forensic 
information to said protected information. 

47. A method according to claim 17, wherein said software client replaces the 
clipboard functionality of said software application thereby to process said protected 
information with a secure clipboard functionality. 

48. A method according to claim 47, wherein said protected information copied into 
said secure clipboard is stored in an internal data structure inaccessible to other 
applications, 

49. A method according to claim 17, wherein said software client is installed 
automatically from a remote server. 

50. A method according to claim 49, wherein said installation of said software client 
utilizes anti-virus installation infrastructure. 

51. A method according to claim 1 7, wherein updates of said software client utilize 
anti-vims update infrastructure. 

52. A method according to claim 17, wherein at least part of the software code of 
said software client resides in an encrypted form. 
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53. A method according to claim 17, wherein at least part of the software code of 
said software client is attached to hardware of said computer workstation, 

54. A method according to claim 1 7, wherein said software client is operable to 
automatically add information to said protected information in accordance with said 
policy. 

55. A method acconling to claim 54, wherein said added information comprises any 
of: 

a document header; 

a document footer; and 

a textual disclaimer. ' 

56. A method according to claim 1 7, wherein said client software is operable to open 
file that comprises said protected information only while connected to at least one server. 

57. A method according to claim 56, wherein said servers enforce a policy with 
respect to said protected information. 

58* A method according to claim 57, wherein said policy implies a set of restrictions 
regarding the usage of the said protected information. 

59. A method according to claim 1 7, wherein said client software is operable to 
check that it is connected to a predetermined server before decrypting a file that comprise 
said protected information. 

60. A method according to claim 59* wherein said servers enforce a policy with 
respect to said protected information, and wherein said policy comprises a set of 
restrictions regarding the usage of the said protected information. 
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61. A method according to claim 56, wherein at least two servers are operable to 
define said policy. 

62. A method according to claim 61 , wherein, in the event of two or more conflicting 
policies being found, a strictest one of the policies is identified and used. 

63. A method according to claim 62, wherein in the event of two or more conflicting 
policies being found, a policy comprising the union of restrictions of said policies is used. 

64. A method according to claim 56, wherein connection to at least two servers are 
required in order to determine said policy. 

65. A method according to claim 56, wherein said server authenticates the integrity 
of said client by requiring a cryptographic hash of at least part of said client's software. 

66. A method according to claim 66, wherein said cryptographic hash is with respect 
to a random address in said client's software. 

67. A method according to claim 56, wherein said client is entangled with said 
server's software, such that a functioning stand-alone copy of said client's software does 
not exist. 

68. A method according to claim 56, wherein said method comprises at least two 
levels of protection, and wherein said levels of protection are operable to be configured 
as a function of the secrecy of said protected information. 

69. A method according to claim 68, wherein in the most secure of said levels of 
protection, said protected information can only be accessed while connected to said 
server. 
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70. A method according to claim 68, wherein in at least one of said levels of 
protection, said information can be accessed for a limited time after the connection with 
said server was terminated. 

71 . A method according to claim 68, wherein in at least one of said levels of 
protection, said information can be accessed until the end of a current login session* 

72. A method according to claim 68, wherein in at least one of said levels of 
protection, said information can be unlimitedly accessed after the server approves said 
information, 

73. A method for information protection, said information comprising information 
items, said information being for usage on a computer workstation, comprising: 

a) defining an information protection policy with respect to certain information 
item 

b) determining the measures required to protect said information according to said 
policy 

c) allowing said usage on a computer workstation of information comprising said 
items for which an information protection policy is defined only while said 
required measures are being applied. 

74. A method according to claim 73, wherein said information protection measures 
comprises protecting information within a client software application. 

75. A method according to claim 74, wherein said protecting information within a 
client software application comprises disabling at least one of the controls of said 
application. 

76. A method according to claim 73, wherein said information protection measures 
comprises encryption of the memory of a graphic card or a video card. 
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77. A method according to claim 73, wherein said information protection measures 
comprises forcing a video card or a graphic card to a mode that causes no meaningful 
information to be stored in said video card's memory. 

78. A method according to claim 73, wherein said information protection measures 
comprises scanning at least one storage device and identifying the existence of 
pre-defined information objects* 

79. A method according to claim 78, wherein said pre-defined information objects 
comprise confidential information objects. 

80. A method according to claim 73, wherein said information protection policy 
comprises at least one rule regarding at least one event of at least one software 
application operable to handle said information. 

81. A method for information protection, said information comprising information 
items, said information being for presentation on a computer screen, comprising: 

a) defining an information protection policy with respect to certain information 
item 

b) determining the measures required to resist screen capture according to said 
policy 

c) allowing presentation of information comprising items for which an 
information protection policy is defined on said computer screen only while said 
required measures are being applied. 

82. A method according to claim 81, wherein said measures comprise requiring 
typing a key-combination that forces the user to keep both hands on a keyboard. 

83 . A method according to claim 8 1 , wherein said measures comprise: 
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a) attaching and connecting a digital video camera to said computer, said digital 
camera photographing the user; 

b) analyzing the output of said camera in order to determine that the user is 
looking at said computer screen; and 

c) presenting said protected information on said computer screen only while the 
user is looking at said computer screen . 

84. A method according to claim 83, wherein said analysis of the output of said 
camera farther allows to determine the part of said screen on which the eyes of said user 
are focused and said protected information appears only on the part of said screen on 
which the eyes of said user are focused. 

85. A method according to claim 83, wherein said analysis further allows to verify 
the identity of said user and said protected information is presented on said computer 
screen only after the identity of said user has been verified to be an identity of a user 
authorized to access said information, 

86. A method according to claim 83, comprising storing the video sequence that is 
produced by said camera while the user is viewing said information. 

87. A method according to claim 86, comprising storing said video sequence in a 
secure storage, 

88. A method according to claim 81, comprising setting the frame-rate of the screen 
in a manner that is not synchronized with standard frame-rates of video cameras. 

89. A method according to claim 8 1 , comprising dynamically changing the 
frame-rate of the screen. 

90. A method according to claim 81 , wherein said measures comprise viewing said 
information being allowed only using a head-mounted display. 
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91. A method according to claim 8 1 , wherein said measures comprise a sensor 
operable to detect that said user is wearing said head-mounted display, and wherein said 
protected information is presented on said screen only if said sensor has verified that said 
user is wearing said head-mounted display* 

92. A method according to claim 90, wherein said head-mounted display is equipped 
with a device operable to identify said user using a biometric feature. 

93. A method according to claim 92, wherein said protected information is presented 
on said head-mounted display only after said sensor has verified that said user identity is 
an identity of an user authorized to use said information. 

94. A method according to claim 91, wherein said measures comprise requiring 
usage of special glasses for viewing said information on said computer screen. 

95. A method according to claim 94, wherein said special glasses are equipped with 
shutters, said shutters being opened only when said information is displayed. 

96. A method according to claim 94, wherein at least part of said information is 
presented on said screen in certain, very short, time intervals, while other visual 
information is presented on said screen during other time intervals, in a manner operable 
to interfere with viewing said information without said glasses or with photographing the 
screen. 

97. A method according to claim 94, wherein said information is presented on said 
screen in a manner that can substantially be viewed only while using glasses operable to 
present 3-dimensional image of said information presented on said screen. 
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98. A method according to claim 94, wherein said measures comprise a sensor 
operable to detect that said user is wearing said glasses, and wherein said protected 
information is presented on said screen only if said sensor has verified that said user is 
wearing said glasses. 

99. A method according to claim 94, wherein said glasses are equipped with a device 
operable to identify said user using a biometric feature. 

100. A method according to claim 99, wherein said protected information is presented 
on said screen only after said sensor has verified that said user identity is an identity of an 
user authorized to use said information. 

101. A method according to claim 81, wherein said measures comprise at least one 
camera-detection sensor, operable to detect the presence of camera, 

1 02. A method according to claim 101, wherein said protected information is 
presented on said screen only after said sensor has substantially verified that no camera 
capable of taking screenshots of said screen exists in a position that allows taking 
screenshots of said screen. 

r 

103. A method according to claim 81 s . wherein said measures comprise verifying that 
the screen on which said information is to be displayed is a screen that restricts the 
viewing angle. 

104. A method according to claim 81, wherein said measures comprise constantly 
moving the protected information. 

105. A method according to claim 81 , wherein said measures comprise displaying the 
text against a background that is designed in a manner that effectively reduces the quality 
of a picture taken by a standard camera. 
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1 06. A method according to claim 8 1 , wherein said measures comprise requiring the 
usage of a LCD screen. 

1 07. A method for computer workstation based information protection, the method 
comprising: 

a) detecting an event occurring at said workstation, 

b) directing handling of said event, and 

c) employing information protection based on an assessment of an importance of 
said event to protection of information indicated as requiring protection 
technique. 

1 08. A method according to claim 1 07, further comprising: 

handling an event, said event being designated as directing information 
protection, and 

employing a said information protection technique in reaction to said event. 

1 09. A method according to claim 108, wherein said event comprise any of: 
loading a local operating system; 

loading an application; 
user action; 

presenting a specific information into the system 

an event generated by another system; 

suspicious activity; 

operating system time event, ; and 

a network time event. 

110. A system for computer workstation based information protection, the system 
comprising: 

i) a monitor for monitoring user's actions on said computer workstation; 
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ii) an analyzer for analyzing said actions in respect to a pre-defined policy to 
determine whether said actions prejudice information to which said policy 
applies, and 

Hi) a policy execution module for executing said policy in accordance with 
the results of said analysis to prevent or modify or restrict or monitor or log said 
actions. 

111. A system according to claim 1 10, wherein said policy comprises restrictions on at 
least one of the following actions: print, save, copy, autosave, fax. 

112. A system according to claim 110, wherein said monitoring said user's actions on 
said workstation comprises detection of indications of attempts at tampering, 

113. A system according to claim 1 1 2, wherein said detection of indications of 
attempts of tampering comprises detection of at least one un-certified add-in. 

114. A system according to claim 113, wherein said detection of indications of 
attempts at tampering comprises detection of at least one debugging technique, 

115. A system according to claim 1 12, wherein said policy comprises restrictions of 
actions made available to said user upon said detection of indications of attempts of 
tampering. 

116. A system according to claim 115, wherein said restrictions of user's actions upon 
said detection of indications of attempts of tampering comprise applying restrictions on 
actions within a software application operable to process said information. 

117. A system according to claim 1 1 6, wherein said software data processing 
application operates in conjunction with a tamper-resistant software client. 
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118. A system according to claim 1 1 7, wherein said software client is operable to 
monitor said user's actions and to execute said policy. 

119. A system according to claim 1 1 7, wherein said software client is operable to 
detect information based on statistical identifiers residing in a specialized database. 

120. A system according to claim 1 17, wherein said software client is further operable 
to detect events of said software application. 

121. A system according to claim 110, wherein said policy further comprising 
managing usage rights. 

1 22. A system according to claim 121 , wherein said usage rights comprise any of: 
viewing at least part of said information; 

modifying at least part of said information; 

sending at least part of said information to a recipient; 

storing at least part of said information; 

storing at least part of said information by an application; 

storing at least part of said information by a file system; 

storing at least part of said information in a portable device; 

storing at least part of said information in a removable media; 

storing at least part of said information portable storage device that is connected 

to said workstation using a USB port; 

pasting at least part of said information into a document; 

printing at least part of said information; 

printing at least part of said information to file; 

printing at least part of said information to a fax, and 

printing a screen view document. 
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123. A system according to claim 1 17, wherein said client software is operable to 
check that it is connected to a predetermined server before decrypting a file that comprise 
said protected information only while connected to at least one server. 

124. A system according to claim 123, wherein said servers enforce a policy with 
respect to said protected infonnation, and wherein said policy comprises a set of 
restrictions regarding the usage of the said protected information. 

125. A system according to claim 1 16, wherein said software application operable to 
process said infonnation is any of: 

a word processing application; 
Microsoft "woni"; 
Open office "word", and 
Star office "word". 

126. A system according to claim 1 17, wherein said software client replaces the 
clipboard functionality of said software application thereby to process said protected 
information with a secure clipboard functionality. 

127. A system according to claim 117, wherein said software client is installed or 
updated automatically from a remote server. 

128. A system according to claim 127, wherein said installation or updates of said 
software client utilize anti-virus installation infrastructure. 

129. A system according to claim 127, wherein said software client is operable to 
automatically add information to said protected information in accordance with said 
policy. 

130. A system for information protection, said information comprising information 
items, said information being for usage on a computer workstation, comprising: 
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a) a policy reference monitor for defining an information protection policy with 
respect to certain information item and determining the measures required to 
protect said information according to said policy 

b) a policy execution module for allowing said usage on a computer workstation 
of information comprising said items for which an information protection policy 
is defined only while said required measures are being applied. 

131. A system for information protection, said information comprising information 
items, said information being for presented presentation on a computer screen, 
comprising: 

a) a policy reference monitor for defining an information protection policy with 
respect to an certain information item and determining the measures required to 
resist screen capture according to said policy 

b) a policy execution module for allowing presentation of information comprising 
items for which an information protection policy is defined on said computer 
screen only while said required measures are being applied. 

132. A system according to claim 131, wherein said measures comprise requiring 
typing a key-combination that forces the user to keep both hands on a keyboard. 

133. A system according to claim 131, wherein said measures comprise: 
attaching and connecting a digital video camera to said computer, said digital 
camera photographing the user; 

analyzing the output of said camera in order to determine that the user is looking 
at said computer screen; and 

presenting said protected information on said computer screen only while the user 
is looking at said computer screen . 

134. A system according to claim 133, wherein said analysis further allows to verify 
the identity of said user and said protected information is presented on said computer 
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screen only after the identity of said user has been verified to be an identity of a user 
authorized to access said information. 

135. A system according to claim 133, comprising storing the video sequence that is 
produced by said camera while the user is viewing said information. 

1 36. A system according to claim 13 1, comprising setting the frame-rate of the screen 
in a manner that is not synchronized with standard frame-rates of video cameras. 

137. A system according to claim 131, comprising dynamically changing the 
frame-rate of the screen. 

138. A system according to claim 131, wherein said measures comprise viewing said 
information being allowed only using a head-mounted display. 

139. A system according to claim 131, wherein said measures further comprise a 
sensor operable to detect that said user is wearing said head-mounted display, and 
wherein said protected information is presented on said screen only if said sensor has 
verified that said user is wearing said head-mounted display. 

140. A system according to claim 139, wherein said head-mounted display is equipped 
with a device operable to identify said user using a biometric feature. 

141 . A system according to claim 131, wherein said measures comprise requiring 
usage of special glasses for viewing said information on said computer screen. 

142. A system according to claim 141, wherein at least part of said information is 
presented on said screen in certain, very short, time intervals, while other visual 
information is presented on said screen during other time intervals, in a manner operable 
to interfere with viewing said information without said glasses or with photographing the 
screen. 
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143. A system according to claim 131, wherein said measures comprise at least one 
camera-detection sensor, operable to detect the presence of camera- 

144. A system according to claim 143, wherein said protected information is presented 
on said screen only after said sensor has.substantially verified that no camera capable of 
taking screenshots of said screen exists in a position that allows taking screenshots of said 
screen. 

145. A system according to claim 131, wherein said measures comprise constantly 
moving the protected information- 

146. A system according to claim 131, wherein said measures comprise displaying the 
text against a background that is designed in a manner that effectively reduces the quality 
of a picture taken by a standard camera. 
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